Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2994511imu;
        Mon, 19 Nov 2018 09:07:01 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Xw/SZfQeL51mz9/a0Q6nu7kRCx8sFyee0/jnkmjdy+iIalLevwpqn6vkJdcJ+4dTkPSl7H
X-Received: by 2002:a17:902:a5ca:: with SMTP id t10mr2318863plq.139.1542647221163;
        Mon, 19 Nov 2018 09:07:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542647221; cv=none;
        d=google.com; s=arc-20160816;
        b=n0l5sQj88NyH8edOymMTb8qnTVLLPTG694rcayUx5PwKGCeivWbMaPK6DIT0NqKtCe
         iuYbG7y/K2+sMjkPlcX9Am9CP+o9ag6fgVJk1NGF+ot1tR1F0nH/sxwYBizFOzTFFi43
         VD3MoikJYCvzKILpvBEEmd2+5SbpPiys4kMxOuahOOgxKHsCREUnUvDDzIoYDBmQ3Wcl
         t827XEuceVseLZAhwr3qGEQJgDIfmt01NpxuI1zuFHFc2+qdRbh8TIFz717RbTc5XnSD
         2Ht/UT5GjVdGvzCx1SkBCEYhTyoWskVPanIfvw2SEyWIL+BE4apWQSOb2JjSwyag5Flk
         i+WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=wsZlPxYA6Nv3m7RiR5PMq9TcYiLNNPWz+LTKtnyo7/w=;
        b=j3i54N7Awik6pNpTRxovgfBe6GoHkDSpMKnVwomQ6gg/UZsM1UsmMY8TCYcjATotsE
         SA5rTX7mmieANrQ/nAhNr5otZPctN8Gk5Z2H/nRfPESqlwNo1GN/pNCgYc6cF6oYKbmE
         7bri23uQTbbBIqtd4bpKrkCW+Ml3FvD1LK9KzlYXD6hfp3Ire4RBKd4i8Jgb48ioPr8I
         o3Iev8noSGhYcj9qwQgPdfcISrvQAWFrnRC2PwS1vTE1kQUyzcEariSsoCL2gvLqXHJp
         5QmY75FfWfwKE5G3rWo0m6dFUVHpJ0QPZTBsQ8EscD1w3dN9Mau/2ocvCtbc8adkqTS2
         /W2w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=kMP3wwzb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v9si33127580pgt.464.2018.11.19.09.06.43;
        Mon, 19 Nov 2018 09:07:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=kMP3wwzb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2406733AbeKTD3X (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Mon, 19 Nov 2018 22:29:23 -0500
Received: from mail.kernel.org ([198.145.29.99]:44034 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2405697AbeKTD3W (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Nov 2018 22:29:22 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 138422148E;
        Mon, 19 Nov 2018 17:05:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1542647105;
        bh=e/X9ttnRBd0Qy3ahIo1YMhs/Wv6Ttj1vcyrpqU7z80I=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=kMP3wwzb5SWXLk/CvXqp2SsTrnv1awWVdQt+jv5oA8HVXQ+5zRwxQWPZ4VdxzcMLo
         g1ubRn1PsU7GrDYKVBkgZflJvUDbqtXKcRF2kEId9eATZ7gzN+dHJjOW6m+CsIVYU9
         e+rCSEu9ei7nZU9ki9ns7tkuEylUn+VP17m27gR8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Anatoly Trosinenko <anatoly.trosinenko@gmail.com>,
        Nicolas Pitre <nico@linaro.org>
Subject: [PATCH 3.18 52/90] Cramfs: fix abad comparison when wrap-arounds occur
Date:   Mon, 19 Nov 2018 17:29:34 +0100
Message-Id: <20181119162629.184627788@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181119162620.585061184@linuxfoundation.org>
References: <20181119162620.585061184@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Pitre <nicolas.pitre@linaro.org>

commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream.

It is possible for corrupted filesystem images to produce very large
block offsets that may wrap when a length is added, and wrongly pass
the buffer size test.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cramfs/inode.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -185,7 +185,8 @@ static void *cramfs_read(struct super_bl
 			continue;
 		blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_CACHE_SHIFT;
 		blk_offset += offset;
-		if (blk_offset + len > BUFFER_SIZE)
+		if (blk_offset > BUFFER_SIZE ||
+		    blk_offset + len > BUFFER_SIZE)
 			continue;
 		return read_buffers[i] + blk_offset;
 	}